← Back to Home

Ask Poppy – Privacy Policy

Privacy Policy

Effective Date: January 14, 2025

This Privacy Policy explains how Ask Poppy collects, uses, shares, and protects your personal information when you use our AI-powered educational assistant service.

1. Who We Are

Data Controller: Poppy Labs AS ("Ask Poppy", "we", "us", "our") Organization Number: 935 934 486 Registered Address: Oslo, Norway Contact Email: simon@askpoppy.ai

Ask Poppy is subject to Norwegian data protection law and the European General Data Protection Regulation (GDPR) as incorporated into Norwegian law through the EEA Agreement.

2. Eligibility and Age Requirements

Ask Poppy is designed for users aged 13 and over. If you are under 13, you may not create an account or use the service. If you are between 13 and the age of digital consent in your jurisdiction (which may be 16 in some EU countries), you should review these terms with a parent or guardian.

If we discover that a user under 13 has created an account, we will promptly suspend the account and delete their personal data.

3. Information We Collect

3.1 Account Information

When you create an account through our authentication provider (Clerk), we collect:

  • Email address
  • Name (optional)
  • User ID (generated by authentication system)

3.2 Profile and Personalization Data

You may optionally provide:

  • Age or birth year
  • School year/grade level
  • City and country
  • Learning goals and preferred subjects
  • Study schedule preferences
  • How you found Ask Poppy

3.3 Conversation Data

When you use our chat services, we collect and store:

  • Text messages you send
  • AI-generated responses
  • Conversation timestamps
  • Message source (web browser or physical device)
  • Tool/function calls made during conversations (e.g., web searches, language changes)
  • Your reactions to messages (positive/negative feedback)
  • Optional feedback text you provide

3.4 Voice Data

When you use voice features:

  • Audio recordings: Uploaded to our speech processing provider (ElevenLabs) for transcription in real-time. Audio files are NOT permanently stored on our servers.
  • Transcriptions: Text transcripts of your spoken messages are saved to your conversation history.
  • Synthesized speech: Text responses converted to audio and streamed to you. Audio is not stored after delivery.

3.5 Usage Information

We track:

  • Daily message count
  • Daily voice chat duration (in seconds)
  • Last reset timestamp (for daily limits)
  • Device usage events (if you use an Ask Poppy hardware device)

3.6 User Preferences

  • Preferred language
  • Selected voice personality
  • Voice speed settings
  • Privacy preferences (analytics opt-in/out)

3.7 Subscription and Payment Data

If you subscribe to a premium plan:

  • Subscription plan type (weekly, monthly, annual)
  • Subscription status (active, canceled, past_due, paused)
  • Customer ID and subscription ID from our payment processor (LemonSqueezy)
  • Billing cycle dates

Note: Payment card details are handled entirely by LemonSqueezy and never stored on our servers.

3.8 Technical and Analytics Data (Opt-In Only)

When you explicitly enable analytics in your settings:

  • Anonymous usage events (with sensitive content redacted)
  • Session recordings (with text masking enabled)
  • Error logs and stack traces
  • Language preference

Important: Analytics are DISABLED by default and require your explicit opt-in.

4. How We Use Your Information

We use your data to:

  • Authenticate and manage your account
  • Provide AI chat responses tailored to your learning needs
  • Transcribe your voice messages and synthesize audio responses
  • Save and retrieve your conversation history
  • Enforce usage limits (free tier: 50 messages/day; premium: unlimited)
  • Process your subscription and deliver premium features

We use profile information (age, grade, learning goals, subjects) to:

  • Customize AI responses to your education level
  • Provide age-appropriate content
  • Tailor learning recommendations

We process data to:

  • Prevent abuse and fraudulent activity
  • Debug technical issues
  • Ensure system availability and performance
  • Monitor for content policy violations

We may use anonymized conversation data to:

  • Improve AI response quality and safety
  • Identify bugs and usability issues
  • Develop new features

Important Safeguards:

  • We apply automated filters to remove obvious personal identifiers (emails, phone numbers, addresses)
  • We do NOT use data from minors' accounts for model training
  • You can object to this processing at any time (see Section 8)

When you explicitly enable analytics:

  • We use PostHog (EU-hosted) for product analytics
  • Session recordings help us identify UI/UX issues
  • All sensitive text content is redacted before transmission
  • You can disable analytics at any time in Settings

5. Third-Party Service Providers

We work with the following service providers to deliver Ask Poppy:

5.1 Clerk (Authentication)

  • Location: USA/EU
  • Data Shared: Email, name, user ID
  • Purpose: User authentication and account management
  • Safeguards: EU-US Data Privacy Framework participant; Standard Contractual Clauses (SCCs)

5.2 OpenAI (AI Language Model)

  • Location: USA
  • Data Shared: Your messages, conversation history, personalization settings
  • Purpose: Generate AI responses
  • Model: Custom fine-tuned GPT-4 model
  • Training: OpenAI does NOT use API data for training their models. Data is retained for 30 days for abuse monitoring only.
  • Learn More: https://platform.openai.com/docs/guides/your-data

5.3 ElevenLabs (Speech Processing)

  • Location: USA
  • Data Shared: Audio recordings (for transcription), text (for synthesis), language preferences
  • Purpose: Speech-to-text and text-to-speech conversion
  • Retention: ElevenLabs processes audio in real-time. We have disabled model training in our account settings.
  • Safeguards: SCCs for EU data transfers
  • Location: USA
  • Data Shared: Search queries generated by AI (when you ask questions requiring web search)
  • Purpose: Retrieve current information from the web
  • Note: Web search only occurs when necessary to answer your question

5.5 LemonSqueezy (Payment Processing)

  • Location: USA
  • Data Shared: Email, subscription preferences
  • Purpose: Process subscription payments and manage billing
  • Privacy: LemonSqueezy handles all payment card data; we never see your card details

5.6 Resend (Transactional Email)

  • Location: USA
  • Data Shared: Email addresses (for waitlist verification only)
  • Purpose: Send verification emails

5.7 PostHog (Analytics - Opt-In Only)

  • Location: EU (eu.posthog.com)
  • Data Shared: Anonymous usage events, session recordings (when enabled by you)
  • Purpose: Product analytics and debugging
  • Privacy Measures:
    • Text masking enabled on all input fields
    • Message content redacted before transmission
    • Session recordings exclude sensitive form data
  • Control: Disabled by default; you must opt in via Settings

5.8 Cloudflare (Infrastructure)

  • Location: Global edge network
  • Purpose: Hosting, CDN, DDoS protection
  • Data Processed: HTTP requests, security logs
  • Safeguards: EU-US Data Privacy Framework participant

Important: We do NOT sell your personal data to any third party.

6. International Data Transfers

Some of our service providers are based in the United States or process data outside the European Economic Area (EEA). When we transfer your data internationally, we rely on:

  • EU-US Data Privacy Framework certifications
  • European Commission's Standard Contractual Clauses (SCCs)
  • For analytics: PostHog EU hosting keeps data within the EEA

7. Data Retention

  • Account Data: Retained while your account is active
  • Conversations: Retained until you delete them or close your account
  • Usage Counters: Reset daily at midnight (for quota enforcement)
  • Deleted Conversations: Marked as deleted in our database
  • Audio Recordings: NOT stored (processed in real-time only)
  • Analytics Events: Retained per PostHog's retention policy (when opted in)
  • Security Logs: Cloudflare retains logs for approximately 30 days

When you delete your account, all personal data is deleted from our systems and from Clerk within a reasonable timeframe. Third-party processors may retain data according to their policies.

8. Your Privacy Rights

Under GDPR and Norwegian law, you have the following rights:

8.1 Right to Access and Data Portability

  • Export Your Data: Visit /api/gdpr/export while logged in to download all your personal data in JSON format, including:
    • Profile information
    • User settings
    • All conversations with full message history
    • Usage statistics
    • List of third-party processors

8.2 Right to Correction

  • Update your profile and settings directly in the app
  • Contact simon@askpoppy.ai if you cannot correct data yourself

8.3 Right to Deletion ("Right to be Forgotten")

  • Delete Conversations: Delete individual chat sessions in the app
  • Delete Account: Permanently delete your entire account and all associated data (cannot be undone)

8.4 Right to Object to Processing

  • Object to Training: Opt out of your data being used for model improvement:
    • Email simon@askpoppy.ai with subject "Object to training"
    • We will stop using your data for this purpose
  • Object to Analytics: Disable analytics in Settings at any time

8.5 Right to Restrict Processing

Contact simon@askpoppy.ai to request temporary restriction of processing

8.6 Right to Lodge a Complaint

File a complaint with:

  • Datatilsynet (Norwegian Data Protection Authority): www.datatilsynet.no
  • Your local EU data protection supervisory authority

Where processing is based on consent (e.g., analytics), you can withdraw consent at any time via Settings

9. Guest Mode

You can try Ask Poppy without creating an account using Guest Mode:

  • Limit: 3 messages maximum
  • No Storage: Messages are NOT saved to our database
  • Session-Only: Data exists only during your browser session
  • No History: You cannot retrieve guest conversations later

Guest mode is intended for trial purposes only.

10. Cookies and Similar Technologies

Essential Cookies

Used for authentication, session management, and security. These do not require consent as they are strictly necessary.

Analytics Cookies (Opt-In)

When you enable analytics:

  • PostHog sets cookies to track your session
  • These cookies help us understand product usage
  • You can disable them at any time in Settings

Local Storage

We use browser local storage for:

  • Language preference caching
  • Analytics state (when opted in)

11. Security Measures

We implement industry-standard security practices:

  • Encryption in Transit: HTTPS/TLS for all data transmission
  • Authentication: Secure token-based authentication via Clerk
  • Access Controls: Least-privilege access to systems and data
  • Database Security: Environment-based credentials, SQL injection prevention
  • Webhook Verification: HMAC SHA-256 signature verification
  • Content Sanitization: Automated redaction of sensitive data in analytics

No security system is perfect. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

12. Children's Privacy (Ages 13-17)

Minimum Age

You must be at least 13 years old to use Ask Poppy.

Parental Notice

If you are between 13 and the age of digital consent in your country (which may be 16 in some EU countries):

  • Review this Privacy Policy with a parent or guardian
  • We apply enhanced privacy protections for minor accounts
  • We do NOT use minors' data for model training
  • We do NOT conduct behavioral advertising on minors

Parental Rights

Parents/guardians may contact simon@askpoppy.ai to:

  • Request access to their child's data
  • Request deletion of their child's account
  • Ask questions about our privacy practices

13. Device Users (ESP32 Hardware)

If you use an Ask Poppy physical device:

  • The device sends audio to our API for processing
  • Recording is only enabled while holding down the center button
  • Device has no wake-words and microphone is turned off when device is not used
  • We track device ID and usage events
  • We DO NOT access the audio you record
  • Same privacy practices apply as web users
  • You can manage device settings in your account

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • New features or services
  • Legal requirements

When we make changes:

  • We will update the "Effective Date" at the top of this page
  • Material changes will be posted prominently on this page
  • Your continued use after changes constitutes acceptance

We recommend reviewing this policy periodically to stay informed about how we protect your data.

15. Contact Us

For privacy-related questions, requests to exercise your rights, or concerns:

Email: simon@askpoppy.ai Subject Line: Include "Privacy Request" for faster response Company: Poppy Labs AS, Oslo, Norway

We will respond to your request within 30 days as required by GDPR.

This Privacy Policy is governed by Norwegian law and GDPR.